this means we do not have the key, identified above, that was used to sign the message. we have no way to know who sent this message. the from address says the message is from Tom Beasley -- but --anyone could send a message claiming to be Tom Beasley -- or Richard Nixon -- or anyone they wish to impersonate . this is unacceptable for business -- or private communication.

we get a message back from Beasley stating that he has uploaded his key

as soon as we download his key -- we should be able to validate his messages,--

ENIGMAIL provides a dialog for downloading the key
( you do need to know which key server is being used )

notice that his signature remains unverified until we get his key downloaded,--

well now! we have his key -- and it is correct on his message -- but ENIGMAIL is telling us his key is UNTRUSTED.
this is because his key is NOT VALID: at this point we have NO ASSURANCE that key "5C8D8076 " actually belongs to Beasley. We could be talking to Nixon -- for all we know -- at this point. We must have the key validated -- so that we are sure that key "5C8D8076" actually belongs to Beasley

that is why we have designated Alice -- our administrative assistant -- to Validate Keys. On our system her key shows FULL trust: i.e. we trust Alice to validate keys for other employees . that is why Tom has to go see Alice. She can download his key, make sure it is key "5C8D8076 ", sign it, and then upload it for Tom;

you notice GnuPG checks its database and derives a value to the VALIDITY of Beasley's key
As we have assigned FULL trust to ALICE her signature on Beasley's key sets Beasley's status to VALID:
i.e. we are satisfied that key 5C8D8076 belongs to Beasley

we mark him UNTRUSTED -- i.e. we do not trust him in any manner to validate keys for others: we know who he is -- but we don't trust him to handle keys.

Citing ongoing security concerns, the Internal Revenue Service (IRS) has suspended a service offered via its Web site that allowed taxpayers to retrieve so-called IP Protection PINs (IP PINs), codes that the IRS has mailed to some 2.7 million taxpayers to help prevent those individuals from becoming victims of tax refund fraud two years in a row. The move comes just days after KrebsOnSecurity first exposed how ID thieves were abusing the service to revisit tax refund on innocent taxpayers two years running.

Email scam artists last week tricked an employee at data storage giant Seagate Technology into giving away W-2 tax documents on all current and past employees, KrebsOnSecurity has learned. W-2 forms contain employee Social Security numbers, salaries and other personal data, and are highly prized by thieves involved in filing phony tax refund requests with the Internal Revenue Service (IRS) and the states.

in our little parable here which i have written for this tutorial Alice acts as the introducer, validating keys for our new employees.

in real life we would need agencies that deal with validating identities to validate GnuPG, openPGP, and PGP keys for us. Such agencies could include our local credit union, DMV, County Clerk, Notary Public, &c

once a key is validated we would need to associate that key with our business contacts. this could be as simple as logging onto an online account and simply adding the key ID and server ID to the account data. the business could then access the validated key and following that would expect transactions, e/mail &c to be properly validated.

this stuff should have been done back in 1995. Instead we continue to use "Knowlege Base Authentication" (KBA); this in spite of the fact that the "knowlege" -- DoB, SSN etc -- has all been compromised and is readily available to scamsters via various resources available on the "DarkNet".

a Quick Word of Caution

Security depends on the use of a secure operating system. a secure operating system will not allow itself to be corrupted by the activity of an application program; nor will it allow one application program to steal data from another .

now that we think we understand PGP it's time to take off the Cowboy Hats and put on the Thinking Caps

Think like a Hacker

a Hacker will study an information flow, and look for a weakness -- a point where he can impersonate a source in order to manipulate a target

I might think I could use PGP to sign my tax return -- and thus foil any scamster who plans to submit a forged return. to do this he needs to generate a keypair with my ordinary identifications on it -- and get that signed by an accredited service -- and submit it to the IRS

to prevent this we will need a change control procedure with two sections:
(a) initial submission and validation of key;
(b) change procedure;

While we are thinking about this I'll relate a little parable. This is a true story that affected this writer.

the annuity manager for one of my retirement annuities abruptly sent me an e/mail stating that i had changed my mailing address to someplace, Klamath Falls. I promptly called them on the phone and had them correct my address back to Michigan.

the attacker immediately changed the address back to Klamath again.

this was repeated 3 times before the attacker gave up.

the important lesson here is -- just implementing PGP is not sufficient; security must be established and then maintained. Maintenance must protect keys from tampering.

the nice thing about PGP is -- once security is established -- we can required changes to be sent via the secure channel,-- up to and including provision of a new public key .

security should be established immediately on new accounts. on existing accounts an existing document could be signed and re-submitted in order to help verify the sender's key. to thwart this the attacker would need an exact machine readable copy of a document to be used for the validation. an attacker might attempt to open a new account on behalf of the victim -- e.g. a credit card. in this case he would not have the proper signature to do it -- although he might have generated one that would look valid to the provider. once the account went active the fraud would be exposed when the signatures didn't check out .

I'm going to throw my thinking cap in the back of the truck now and get my Cowboy hat and a ceegar

Mike, you keep showing Amor a lot in some of your code shots. With the PGP tools in Enigmail will those do the same thing? Package manger when going there makes look like it does. So got to wondering about if installing from there would do any more for Enigmail or no. My curiosity on security is getting worse than that damn proverbial cat that keeps getting into trouble if left alone.

Georgia boy wrote:Mike, you keep showing Amor a lot in some of your code shots. With the PGP tools in Enigmail will those do the same thing? Package manger when going there makes look like it does. So got to wondering about if installing from there would do any more for Enigmail or no. My curiosity on security is getting worse than that damn proverbial cat that keeps getting into trouble if left alone.

"armor" -- is not something you need to install -- it's a standard feature of any version of PGP

remember: the tutorial here is not intended to be a substitute for the manual; rather it is a set of examples that may help the reader dig the stuff out of the manual that he may need for whatever he wants to do.

in the example i did not specify the --output option; for that reason the original file name is appended with the ".asc" suffix and that becomes the "armor" file

all that it does is convert the cipher text into 7-bit printable ascii . this was done to reduce problems in transmission where 8-bit characters can sometimes act as control characters and confuse the transmission software . the use of 'armor' continues today as a 'best practice'

In e/mail systems PGP/Mime is used. this is similar but expanded so as to act as a container as well as armor. as a 'container' PGP/Mime can include HTML message text, attached documents of any sort and digital signatures . *

on any test message in Thunderbird/ENIGMAIL just do a "view source" and you see the PGP/Mime data is just a character stream -- similar to above.

---
* my copy of Thunderbird ( 38.5.1 ) is having problems decrypting any PGP/Mime that includes HTML with embedded graphics -- or attachments. the example data shown here was encrypted on T/Bird -- but the message had to be decrypted using CLAWS mail .

the sample message shown here includes a .pdf attachment which has some .png image data included

Note, do NOT uninstall gnupg. This is still used by many other parts of the operating system, including aptitude itself.

Thunderbird will automatically use gpg2 if you have it installed ( and I think it's required in the current versions )

Thunderbird/ENIGMAIL offers an *excellent* key-management dialog -- numerous example of which are shown as screen image snips in this tutorial. with their key-management dialog you should not need to deal with GnuPG directly or using an alternate edit such as KGpg

Evolution

the Evolution e/mail client is also very well done although you may wish to use the the KGpg key manager with this program.

KGpg

KGpg is a good "GUI" interface to GnuPG although you do need to configure it for gpg2 and for key servers.

command line

a number of examples shown in this sequence have shown command line output
for complete documentation of Command Line options. GnuPG Reference Manual

Claws Mail

Claws Mail is cool, -- in an interesting way --
they don't like HTML mail -- although they have a plug-in that will display HTML formatted mail for you.
they don't have an HTML editor. At first I thought they were really backward -- but -- on 2d thought -- maybe not. Maybe e/mail should have never been more than a transport service... kinda like the old FIDO system .

CLAWS does allow you to compose in whatever -- and send as attachment

ZIP / tar

Anytime you have a collection of files that need to be signed and sent the best option is to use ZIP or Archive Manager to put all the files into a container -- such as .zip or .tar.gz --etc After that you can sign the .zip or .tar container and then zip or tar your signature together with your archive as .zip or .tar -- whatever you are using -- and this will then give you a single file that can be transmitted/downloaded -- including a signature .